On Fri, Mar 28, 2014 at 07:44:53PM +0100, Dr. Stephen Henson wrote:
Certainly. Nothing is set in stone at this stage. It's only part of the master
branch and wont appear in a release for a while yet.
[...]
Yes I'm aware of some of the problems here. I do want OpenSSL to reject
attempts
On Fri, Mar 14, 2014, Nikos Mavrogiannopoulos wrote:
On Thu, 2014-03-13 at 22:52 +0100, Stephen Henson via RT wrote:
On Thu Mar 13 20:12:38 2014, d...@fifthhorseman.net wrote:
This is a hard-coded patch to make OpenSSL clients reject connections
which use DHE handshakes with 1024 bits.
On Fri, Mar 28, 2014 at 05:57:42PM +0100, Dr. Stephen Henson wrote:
In the new Fedora we will try system-wide configuration parameters for
all crypto libraries (patch [0] was along that line), so such a change
is very good news. It would be nice if that branch was public for
comments or
On Fri, Mar 28, 2014, Viktor Dukhovni wrote:
On Fri, Mar 28, 2014 at 05:57:42PM +0100, Dr. Stephen Henson wrote:
In the new Fedora we will try system-wide configuration parameters for
all crypto libraries (patch [0] was along that line), so such a change
is very good news. It would be
On Fri, Mar 28, 2014, Dr. Stephen Henson wrote:
On Fri, Mar 28, 2014, Viktor Dukhovni wrote:
On Fri, Mar 28, 2014 at 05:57:42PM +0100, Dr. Stephen Henson wrote:
In the new Fedora we will try system-wide configuration parameters for
all crypto libraries (patch [0] was along that
On Fri, Mar 28, 2014 at 06:57:34PM +0100, Dr. Stephen Henson wrote:
Well what goes in each security level is up for discussion and can be changed.
So perhaps session tickets can be allowed at somewhat higher levels?
As you note level 2 and higher general will have problems with today's
On Fri, Mar 28, 2014 at 07:27:59PM +0100, Dr. Stephen Henson wrote:
One possibility I'd considered is to move levels 1 and above along one. Then
you'd have...
Level 0: anything goes.
Level 1: almost anything goes but stupid stuff like DH, RSA keys 512 bits
excluded.
And the corresponding
On Fri, Mar 28, 2014, Viktor Dukhovni wrote:
On Fri, Mar 28, 2014 at 06:57:34PM +0100, Dr. Stephen Henson wrote:
Well what goes in each security level is up for discussion and can be
changed.
So perhaps session tickets can be allowed at somewhat higher levels?
Certainly. Nothing is
On Fri, Mar 28, 2014, Viktor Dukhovni wrote:
On Fri, Mar 28, 2014 at 07:27:59PM +0100, Dr. Stephen Henson wrote:
One possibility I'd considered is to move levels 1 and above along one. Then
you'd have...
Level 0: anything goes.
Level 1: almost anything goes but stupid stuff like DH,
On Fri, Mar 28, 2014 at 07:44:53PM +0100, Dr. Stephen Henson wrote:
What are your thoughts on level 1? Do you think those requirements are
reasonable? Currently (subject to change!) level 1 is the default level.
I am not personally aware of any interoperability obstacles to the
proposed level
On Fri, Mar 28, 2014 at 08:00:06PM +0100, Dr. Stephen Henson wrote:
Therefore, implementations can over time move to encrypt session
tickets with 256-bit keys. So I would not exclude session tickets
at any of the security levels, this adds no security, but makes
the use of security less
On Thu, 2014-03-13 at 22:52 +0100, Stephen Henson via RT wrote:
On Thu Mar 13 20:12:38 2014, d...@fifthhorseman.net wrote:
This is a hard-coded patch to make OpenSSL clients reject connections
which use DHE handshakes with 1024 bits.
I should've commented on this before, sorry. I'm
On Thu Mar 13 20:12:38 2014, d...@fifthhorseman.net wrote:
This is a hard-coded patch to make OpenSSL clients reject connections
which use DHE handshakes with 1024 bits.
I should've commented on this before, sorry. I'm currently working on a
framework where several security parameters can be
On 03/13/2014 05:52 PM, Stephen Henson via RT wrote:
I should've commented on this before, sorry. I'm currently working on a
framework where several security parameters can be configured at both compile
time and runtime, including DH parameter sizes. It's still under development
at
present
From: owner-openssl-...@openssl.org On Behalf Of Kurt Roeckx via RT
Sent: Saturday, 31 August, 2013 12:54
It seems that s_server by default use 512 bit for the DHE if it's
not specified, and s_client just accepts that.
Is there a way to set a minimum size? I think think 512 really
is too
It seems that s_server by default use 512 bit for the DHE if it's
not specified, and s_client just accepts that.
Is there a way to set a minimum size? I think think 512 really
is too short and shouldn't be accepted by any client. I think
we should have a minimum of 1024.
Kurt
16 matches
Mail list logo
